cto-ai-cli 3.1.0 → 4.0.0

package/DOCS.md

@@ -5,6 +5,8 @@
 ## Table of Contents
 
 - [CLI Commands](#cli-commands)
+- [Security Audit](#security-audit---audit)
+- [Context Gateway](#context-gateway)
 - [MCP Server](#mcp-server)
 - [API Server](#api-server)
 - [Programmatic API](#programmatic-api)
@@ -83,6 +85,356 @@ cto2 policy validate
 cto2 policy init
 ```
 
+### `npx cto-ai-cli` (zero-install CLI)
+
+The default binary. All flags work with zero install via `npx`.
+
+```bash
+npx cto-ai-cli                           # Score your project
+npx cto-ai-cli ./path                    # Score a specific project
+npx cto-ai-cli --fix                     # Auto-generate .cto/context.md, config.json, .cteignore
+npx cto-ai-cli --context "your task"     # Task-specific context with file contents
+npx cto-ai-cli --audit                   # Security audit: detect secrets & PII
+npx cto-ai-cli --report                  # Shareable markdown report + shields.io badge
+npx cto-ai-cli --compare                 # Compare your score vs popular open source projects
+npx cto-ai-cli --benchmark              # CTO vs naive vs random comparison
+npx cto-ai-cli --json                    # Machine-readable JSON output
+npx cto-ai-cli --help                    # Show all options
+```
+
+Flags can be combined: `npx cto-ai-cli --fix --audit --report --compare`
+
+---
+
+## Security Audit (`--audit`)
+
+Full-project secret and PII detection. Scans all source files for hardcoded credentials, tokens, keys, passwords, connection strings, and personally identifiable information.
+
+### Usage
+
+```bash
+npx cto-ai-cli --audit                   # Full audit with terminal output
+npx cto-ai-cli --audit --fix             # Audit + auto-generate context files
+CI=true npx cto-ai-cli --audit           # CI mode: exit code 1 on critical/high findings
+```
+
+### Detection engine
+
+CTO uses a **dual-strategy** detection approach:
+
+**1. Pattern matching (30+ patterns)**
+
+| Type | Pattern examples | Severity |
+|------|-----------------|----------|
+| `api-key` | OpenAI `sk-*`, Anthropic `sk-ant-*`, Stripe `sk_live_*`, Google `AIza*`, SendGrid `SG.*.*` | Critical |
+| `aws-key` | `AKIA*` (Access Key ID), `aws_secret_access_key=*` | Critical |
+| `token` | GitHub `ghp_*`/`gho_*`, GitLab `glpat-*`, Slack `xoxb-*`/`xoxp-*`, npm `npm_*`, JWT `eyJ*.*.*` | Critical/High |
+| `private-key` | `-----BEGIN RSA PRIVATE KEY-----`, `-----BEGIN OPENSSH PRIVATE KEY-----` | Critical |
+| `connection-string` | `mongodb://user:pass@host`, `postgres://`, `DATABASE_URL=` | Critical |
+| `password` | `password=`, `DB_PASSWORD=`, `MYSQL_PASSWORD=` | High |
+| `env-variable` | `SECRET_KEY=`, `PRIVATE_TOKEN=`, `ENCRYPTION_PASS=` | High |
+| `pii` | Email addresses, possible SSNs | Medium |
+
+**2. Shannon entropy analysis**
+
+For strings that don't match a known pattern but look like secrets:
+- Scans all quoted strings ≥40 characters
+- Calculates Shannon entropy (randomness measure)
+- Flags strings with entropy ≥5.0 bits (very random = likely a secret)
+- Automatically skips: hex hashes, camelCase identifiers, base64 padding, integrity hashes, comments, test files
+
+### Smart filtering (false positive reduction)
+
+The scanner skips:
+- **Placeholders**: `${API_KEY}`, `{{SECRET}}`, `YOUR_KEY_HERE`, `CHANGE_ME`, `example`, `TODO`, `dummy`, `sample`
+- **Test files**: `*.test.ts`, `*.spec.ts`, `__tests__/*` (entropy analysis only — patterns still apply)
+- **Declaration files**: `*.d.ts` (entropy analysis only)
+- **Comments**: Lines starting with `//`, `#`, `*`
+
+### Output artifacts
+
+| File | Format | Purpose |
+|------|--------|---------|
+| `.cto/audit/YYYY-MM-DD.jsonl` | JSON Lines (append-only) | Audit log — one entry per run. Run daily to build history. |
+| `.cto/audit/report.md` | Markdown | Full report with findings table — share with team or compliance. |
+| `.cto/.env.example` | Text | Auto-generated `.env` template with all detected variable names. |
+
+### Audit log format (`.jsonl`)
+
+Each line is a JSON object:
+
+```json
+{
+  "timestamp": "2026-02-24T23:38:00.000Z",
+  "version": "3.2.0",
+  "summary": {
+    "filesScanned": 179,
+    "filesWithSecrets": 12,
+    "totalFindings": 51,
+    "bySeverity": { "critical": 34, "high": 5, "medium": 12, "low": 0 },
+    "byType": { "api-key": 21, "private-key": 5, "aws-key": 4, "token": 4, "connection-string": 3, "password": 2, "pii": 12 }
+  },
+  "findings": [
+    { "type": "api-key", "file": "src/config/stripe.ts", "line": 8, "severity": "critical", "redacted": "sk_l********************yZ" }
+  ]
+}
+```
+
+### Programmatic API
+
+```typescript
+import { auditProject, scanContentForSecrets, scanContentForHighEntropy } from 'cto-ai-cli/govern';
+
+// Full project audit
+const result = await auditProject('/path/to/project', filePaths, {
+  customPatterns: ['MY_INTERNAL_TOKEN=[a-z0-9]+'],  // optional extra patterns
+  entropyThreshold: 5.0,                            // default: 5.0
+  includePII: true,                                 // default: true
+});
+
+console.log(result.summary);          // { totalFindings, bySeverity, byType, ... }
+console.log(result.findings);         // SecretFinding[]
+console.log(result.recommendations);  // string[]
+
+// Scan a single string
+const findings = scanContentForSecrets(code, 'file.ts');
+
+// Entropy-only scan
+const entropyFindings = scanContentForHighEntropy(code, 'file.ts', 5.0);
+```
+
+### CI/CD integration
+
+When `CI=true` is set, `--audit` exits with code 1 if any critical or high-severity findings are detected. Use this in:
+
+**GitHub Actions:**
+```yaml
+- name: CTO Security Audit
+  run: npx cto-ai-cli --audit
+  env:
+    CI: true
+```
+
+**Pre-commit hook (`.husky/pre-commit`):**
+```bash
+CI=true npx cto-ai-cli --audit
+```
+
+### Recommendations engine
+
+Based on findings, CTO generates actionable recommendations:
+
+| Finding type | Recommendation |
+|-------------|----------------|
+| Any critical | "Rotate all detected credentials immediately" |
+| `password` | "Move passwords to environment variables or a secrets manager" |
+| `api-key` / `aws-key` | "Use environment variables. Never commit to source control" |
+| `connection-string` | "Database connection strings should use environment variables" |
+| `private-key` | "Private keys should NEVER be in source code. Use a key management service" |
+| `pii` | "Review for GDPR/CCPA compliance. Consider data anonymization" |
+| `high-entropy` | "High-entropy strings detected. Review manually" |
+| Any finding | "Add .gitignore entry for .env files" + "Run --audit regularly or add to CI" |
+
+---
+
+## Context Gateway
+
+A transparent HTTP proxy that sits between your application and any LLM provider. It intercepts every request, scans for secrets, optimizes context, tracks costs, and enforces budgets — all with zero external dependencies.
+
+### Quick start
+
+```bash
+npx cto-gateway                    # Start on port 8787
+npx cto-gateway --port 9000        # Custom port
+npx cto-gateway --block-secrets    # Hard block on critical secrets
+npx cto-gateway --budget-daily 10  # $10/day limit
+```
+
+Then point your app:
+```bash
+export OPENAI_BASE_URL=http://localhost:8787
+```
+
+Every request must include the target provider URL as a header:
+```
+x-cto-target: https://api.openai.com/v1/chat/completions
+```
+
+### Architecture
+
+```
+Your App → Gateway (localhost:8787) → Provider (api.openai.com)
+                │
+                ├── Secret Scanner  → redacts/blocks secrets in messages
+                ├── Context Optimizer → injects CTO-selected context
+                ├── Cost Tracker → logs per-request cost to JSONL
+                ├── Budget Guard → rejects requests over limit (429)
+                └── Dashboard → live web UI at /__cto
+```
+
+### CLI flags
+
+| Flag | Default | Description |
+|------|---------|-------------|
+| `--port <n>` | `8787` | Port to listen on |
+| `--host <addr>` | `127.0.0.1` | Host to bind to |
+| `--project <path>` | `.` | Project to analyze for context optimization |
+| `--block-secrets` | off | Hard block requests with critical secrets (403) |
+| `--budget-daily <$>` | unlimited | Max cost per day — returns 429 when exceeded |
+| `--budget-monthly <$>` | unlimited | Max cost per month |
+| `--no-optimize` | on | Disable CTO context injection |
+| `--no-redact` | on | Disable secret redaction |
+| `--no-dashboard` | on | Disable web dashboard |
+
+### Provider detection
+
+The Gateway auto-detects providers from the `x-cto-target` URL and request headers:
+
+| Provider | Detection | Auth header |
+|----------|-----------|-------------|
+| OpenAI | `api.openai.com` or `/v1/chat/completions` | `Authorization: Bearer sk-...` |
+| Anthropic | `api.anthropic.com` or `anthropic-version` header | `x-api-key` |
+| Google AI | `generativelanguage.googleapis.com` | `x-goog-api-key` |
+| Azure OpenAI | `*.openai.azure.com` or `api-key` header | `api-key` |
+| Custom | Fallback — assumes OpenAI-compatible | `Authorization` |
+
+### Model pricing
+
+Built-in pricing for accurate cost tracking:
+
+| Model | Input ($/M tokens) | Output ($/M tokens) | Context window |
+|-------|--------------------|--------------------|----------------|
+| gpt-4o | $2.50 | $10.00 | 128K |
+| gpt-4o-mini | $0.15 | $0.60 | 128K |
+| o1 | $15.00 | $60.00 | 200K |
+| o3-mini | $1.10 | $4.40 | 200K |
+| claude-sonnet-4 | $3.00 | $15.00 | 200K |
+| claude-3.5-haiku | $0.80 | $4.00 | 200K |
+| gemini-2.5-pro | $1.25 | $10.00 | 1M |
+| gemini-2.0-flash | $0.10 | $0.40 | 1M |
+
+### Request lifecycle
+
+1. **Receive** — Client sends POST request to Gateway
+2. **Budget check** — If daily/monthly budget exceeded → 429
+3. **Parse** — Detect provider, extract messages from provider-specific format
+4. **Scan secrets** — Run 30+ patterns against all message content
+5. **Redact or block** — Replace secrets with `***REDACTED***` or return 403
+6. **Optimize context** — If analysis ready, inject CTO-selected files into system prompt
+7. **Forward** — Proxy to provider (streaming SSE or buffered)
+8. **Track** — Log cost, tokens, savings, latency to JSONL
+9. **Respond** — Forward provider response to client (zero-copy for streams)
+
+### Streaming support
+
+The Gateway fully supports Server-Sent Events (SSE) streaming:
+
+- Detects streaming from `Content-Type: text/event-stream`
+- Zero-copy passthrough: chunks are forwarded to client as they arrive
+- Async token tracking: parses SSE events in background without blocking the stream
+- Usage data extracted from final SSE chunk (when provider includes it)
+
+### Dashboard
+
+Available at `http://localhost:8787/__cto` (configurable via `--dashboardPath`).
+
+Shows:
+- **Today**: requests, cost, tokens saved, secrets redacted
+- **This month**: totals + budget progress
+- **Feature status**: optimization, redaction, tracking, audit log
+- **By model**: breakdown of requests, tokens, and cost per model
+- **By provider**: requests and cost per provider
+- Auto-refreshes every 30 seconds
+
+### Usage storage
+
+| File | Format | Description |
+|------|--------|-------------|
+| `.cto/gateway/usage/YYYY-MM.jsonl` | JSON Lines | One line per request. Monthly files. |
+
+Each line:
+```json
+{
+  "id": "a1b2c3d4",
+  "timestamp": "2026-02-24T23:52:00.000Z",
+  "provider": "openai",
+  "model": "gpt-4o",
+  "inputTokens": 1200,
+  "outputTokens": 350,
+  "costUSD": 0.0065,
+  "originalTokens": 6200,
+  "optimizedTokens": 1200,
+  "savedTokens": 5000,
+  "savedUSD": 0.0130,
+  "secretsRedacted": 2,
+  "secretsBlocked": false,
+  "latencyMs": 152,
+  "stream": true
+}
+```
+
+### Budget enforcement
+
+When a budget is set, the Gateway checks cost totals before every request:
+
+| Condition | HTTP response |
+|-----------|---------------|
+| Daily budget exceeded | `429 Too Many Requests` + `{ "error": "Daily budget exceeded", "budget": 10, "current": 10.42 }` |
+| Monthly budget exceeded | `429 Too Many Requests` + `{ "error": "Monthly budget exceeded" }` |
+| Critical secrets + `--block-secrets` | `403 Forbidden` + `{ "error": "Request blocked: secrets detected" }` |
+
+Budget alerts are emitted at 80% of limit (configurable via `alertThreshold`).
+
+### Programmatic API
+
+```typescript
+import { ContextGateway, UsageTracker } from 'cto-ai-cli/gateway';
+
+const gateway = new ContextGateway({
+  port: 8787,
+  projectPath: '/path/to/project',
+  redactSecrets: true,
+  blockOnSecrets: false,
+  budgetDaily: 20,
+  budgetMonthly: 500,
+});
+
+// Listen to events
+gateway.onEvent((event) => {
+  if (event.type === 'request') console.log(`${event.record.model}: $${event.record.costUSD}`);
+  if (event.type === 'budget-alert') console.log(`Budget warning: ${event.period}`);
+});
+
+await gateway.start();
+
+// Get usage summary
+const tracker = gateway.getTracker();
+const summary = tracker.getSummary('month');
+console.log(`This month: ${summary.totalRequests} requests, $${summary.totalCostUSD}`);
+
+// Provider detection (standalone)
+import { detectProvider, estimateCost } from 'cto-ai-cli/gateway';
+
+const provider = detectProvider('https://api.openai.com/v1/chat/completions', {});
+const cost = estimateCost(provider, 'gpt-4o', 5000, 1000);
+```
+
+### Interceptor (standalone)
+
+```typescript
+import { interceptRequest } from 'cto-ai-cli/gateway';
+import type { Message, GatewayConfig } from 'cto-ai-cli/gateway';
+
+const messages: Message[] = [
+  { role: 'user', content: 'Deploy with key sk-live_abc123...' },
+];
+
+const result = await interceptRequest(messages, config, analysis);
+// result.secretsRedacted → 1
+// result.messages[0].content → 'Deploy with key sk-l**********23...'
+// result.decisions → ['Redacted 1 secret(s) in user message: api-key']
+```
+
 ---
 
 ## MCP Server

package/README.md

@@ -3,7 +3,7 @@
 > **Early access** — This is a test version. We'd love your feedback.
 
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
-[![Tests](https://img.shields.io/badge/tests-433_passing-brightgreen.svg)](#)
+[![Tests](https://img.shields.io/badge/tests-573_passing-brightgreen.svg)](#)
 
 ## Try it now (zero install)
 
@@ -77,10 +77,15 @@ Without type definitions, the AI invents interfaces — wrong property names, wr
 ### Option 1: Quick score (no install)
 
 ```bash
-npx cto-ai-cli                 # Score your project
-npx cto-ai-cli ./my-project    # Score a specific project
-npx cto-ai-cli --benchmark     # Compare CTO vs naive vs random
-npx cto-ai-cli --json          # Machine-readable output (for CI)
+npx cto-ai-cli                           # Score your project
+npx cto-ai-cli ./my-project              # Score a specific project
+npx cto-ai-cli --fix                     # Auto-generate optimized context files
+npx cto-ai-cli --context "your task"     # Task-specific context for AI prompts
+npx cto-ai-cli --audit                   # Security audit: detect secrets & PII
+npx cto-ai-cli --report                  # Shareable report + README badge
+npx cto-ai-cli --compare                 # Compare your score vs popular projects
+npx cto-ai-cli --benchmark               # CTO vs naive vs random comparison
+npx cto-ai-cli --json                    # Machine-readable output (for CI)
 ```
 
 ### Option 2: Full install
@@ -197,17 +202,187 @@ Without these files, the AI has to guess the shape of `AnalyzedFile`, `ContextSe
 
 ---
 
+## 🔒 Security Audit — detect secrets before AI sees them
+
+Every time you send code to an AI, there's a risk: **API keys, tokens, passwords, and PII hiding in your codebase.**
+
+CTO now scans your entire project for secrets — before they end up in an AI prompt.
+
+```bash
+npx cto-ai-cli --audit
+```
+
+```
+  🔍 Running security audit...
+
+  ╔══════════════════════════════════════════════════╗
+  ║                                                  ║
+  ║   🔴 Security Audit: CRITICAL ISSUES FOUND       ║
+  ║                                                  ║
+  ║   Files scanned:  179                            ║
+  ║   Files affected: 12                             ║
+  ║   Total findings: 51                             ║
+  ║                                                  ║
+  ╠══════════════════════════════════════════════════╣
+  ║                                                  ║
+  ║   🔴 Critical: 34                                ║
+  ║   🟠 High:     5                                 ║
+  ║   🟡 Medium:   12                                ║
+  ║                                                  ║
+  ╚══════════════════════════════════════════════════╝
+
+  Findings:
+
+  🔴 CRITICAL src/config/stripe.ts:8
+             api-key: sk_l********************yZ
+  🔴 CRITICAL src/config/database.ts:14
+             connection-string: post********************db
+  🟠 HIGH     src/utils/email.ts:22
+             pii: admi**********om
+
+  Recommendations:
+
+  🚨 CRITICAL: Rotate all detected credentials immediately.
+  💡 Use environment variables for API keys.
+  💡 Add a .gitignore entry for .env files.
+
+  📁 Audit artifacts:
+  📋 .cto/audit/2026-02-24.jsonl   Audit log (append-only)
+  📊 .cto/audit/report.md          Full report
+  📝 .cto/.env.example             Template for environment variables
+```
+
+### What it detects
+
+| Category | Examples | Severity |
+|----------|----------|----------|
+| **API Keys** | OpenAI, Anthropic, Stripe, Google, SendGrid, Azure | 🔴 Critical |
+| **Cloud credentials** | AWS Access Keys, AWS Secrets | 🔴 Critical |
+| **Tokens** | GitHub, GitLab, Slack, npm, JWT | 🔴 Critical |
+| **Private keys** | RSA, SSH, EC private keys | 🔴 Critical |
+| **Database** | Connection strings (Postgres, MongoDB, Redis, MySQL) | 🔴 Critical |
+| **Passwords** | Hardcoded passwords, DB passwords | 🟠 High |
+| **PII** | Email addresses, possible SSNs | 🟡 Medium |
+| **High-entropy strings** | Random strings that look like secrets (Shannon entropy analysis) | 🟡 Medium |
+
+### How it works
+
+1. **30+ regex patterns** — battle-tested patterns for known secret formats (AWS, Stripe, Slack, GitHub, etc.)
+2. **Shannon entropy analysis** — detects random-looking strings that may be secrets, even if they don't match a known pattern
+3. **Smart filtering** — skips placeholders (`${API_KEY}`), test files, comments, and common false positives
+4. **Auto-redaction** — secrets are NEVER shown in full. All output uses redacted values (`sk_l**********yZ`)
+
+### What it generates
+
+| File | Purpose |
+|------|---------|
+| `.cto/audit/YYYY-MM-DD.jsonl` | Append-only audit log (run it daily, keep history) |
+| `.cto/audit/report.md` | Full markdown report — share with your team or compliance |
+| `.cto/.env.example` | Auto-generated template with all detected env variable names |
+
+### CI/CD integration
+
+Set `CI=true` and the audit will **exit with code 1** if critical or high-severity secrets are found:
+
+```bash
+CI=true npx cto-ai-cli --audit
+```
+
+Perfect for pre-commit hooks or CI pipelines — block PRs that contain secrets before they reach production or an AI prompt.
+
+### Why this matters
+
+Every day, developers accidentally send secrets to AI tools:
+- Copilot autocompletes with your `.env` values in context
+- You paste a file into ChatGPT that has a hardcoded API key
+- Cursor reads your database config with connection strings
+
+**CTO catches these before they leave your machine.** Zero external calls. Everything runs locally.
+
+---
+
+## 🌐 Context Gateway — AI proxy for your entire team
+
+Every AI API call from your team passes through the Gateway. It sits between your app and any LLM provider, automatically optimizing context, redacting secrets, and tracking costs.
+
+```bash
+npx cto-gateway
+```
+
+```
+  ⚡ CTO Context Gateway v4.0.0
+
+  🌐 Proxy:      http://127.0.0.1:8787
+  📊 Dashboard:  http://127.0.0.1:8787/__cto
+  📁 Project:    /your/project
+
+  ✅ Context optimization
+  ✅ Secret redaction
+  ✅ Cost tracking
+  ⬜ Daily budget (unlimited)
+
+  How to connect:
+    OPENAI_BASE_URL=http://127.0.0.1:8787
+    + set header: x-cto-target: https://api.openai.com/v1/chat/completions
+
+  Waiting for requests...
+
+  18:52:34  openai/gpt-4o  1200 tokens  $0.0075 (saved 5.2K tokens, $0.0130) [2 secrets redacted]  152ms
+```
+
+### What it does
+
+| Feature | Description |
+|---------|-------------|
+| **Secret redaction** | Scans every message for API keys, tokens, passwords → auto-redacts before sending to the LLM |
+| **Secret blocking** | Optional hard block — reject requests that contain critical secrets |
+| **Context optimization** | Injects CTO-selected files, type definitions, and hub modules into system prompts |
+| **Cost tracking** | Tracks per-request cost by model and provider. Persistent JSONL logs. |
+| **Budget enforcement** | Set daily/monthly limits. Gateway returns 429 when exceeded. |
+| **Live dashboard** | Dark-theme web UI at `/__cto` — today's stats, monthly breakdown, model costs |
+| **SSE streaming** | Full passthrough of streaming responses with zero-copy. No added latency. |
+| **Multi-provider** | OpenAI, Anthropic, Google AI, Azure OpenAI, and any OpenAI-compatible API |
+
+### Supported providers & models
+
+| Provider | Models | Pricing tracked |
+|----------|--------|----------------|
+| **OpenAI** | GPT-4o, GPT-4o Mini, o1, o1-mini, o3-mini | ✅ |
+| **Anthropic** | Claude Sonnet 4, Claude 3.5 Haiku, Claude 3 Opus | ✅ |
+| **Google** | Gemini 2.5 Pro, Gemini 2.0 Flash, Gemini 1.5 Pro | ✅ |
+| **Azure OpenAI** | Same as OpenAI (different hosting) | ✅ |
+| **Custom** | Any OpenAI-compatible API (Ollama, LiteLLM, etc.) | Manual |
+
+### Configuration
+
+```bash
+cto-gateway --port 9000                  # Custom port
+cto-gateway --block-secrets              # Hard block on critical secrets
+cto-gateway --budget-daily 10            # Max $10/day
+cto-gateway --budget-monthly 200         # Max $200/month
+cto-gateway --project ./my-app           # Analyze a specific project
+cto-gateway --no-optimize                # Disable context injection
+cto-gateway --no-redact                  # Disable secret redaction
+```
+
+---
+
 ## What you can do with CTO
 
 | Use case | How |
 |----------|-----|
 | **Score your project** | `npx cto-ai-cli` |
-| **Compare strategies** | `npx cto-ai-cli --benchmark` |
-| **Get optimized context for a task** | `cto2 interact "your task"` |
-| **PR-focused context** | `cto2 interact --pr "review this PR"` |
+| **Auto-optimize context** | `npx cto-ai-cli --fix` → generates `.cto/context.md` to paste into AI |
+| **Task-specific context** | `npx cto-ai-cli --context "refactor auth"` → optimized for your task |
+| **Security audit** | `npx cto-ai-cli --audit` → detect secrets & PII before AI sees them |
+| **AI proxy (Gateway)** | `npx cto-gateway` → proxy with secret redaction + cost tracking |
+| **Shareable report** | `npx cto-ai-cli --report` → markdown report + README badge |
+| **Compare vs open source** | `npx cto-ai-cli --compare` → your score vs Zod, Next.js, Express |
+| **Compare strategies** | `npx cto-ai-cli --benchmark` → CTO vs naive vs random |
+| **Get context for a task** | `cto2 interact "your task"` |
 | **Use in your AI editor** | Add MCP server (see setup above) |
-| **Use in CI/CD** | GitHub Action posts score on every PR |
-| **Use as an API** | `cto2-api` starts an HTTP server |
+| **Block secrets in CI** | `CI=true npx cto-ai-cli --audit` |
+| **Budget control** | `cto-gateway --budget-daily 10 --budget-monthly 200` |
 | **JSON output (scripting)** | `npx cto-ai-cli --json` |
 
 ---
@@ -226,10 +401,12 @@ This is an early test version. Here's what we know:
 ## What's next
 
 We're working on:
-- **More language support** — deeper analysis for Python and Go
-- **VS Code extension** — see risk scores and context suggestions inline
-- **Model-specific optimization** — different context for GPT-4 vs Claude vs Gemini
-- **Team features** — share learned patterns across your team
+- **Context Gateway** — proxy between your team and any AI, with automatic context optimization and cost tracking
+- **Monorepo intelligence** — package-aware selection for large monorepos (60-80% more token savings)
+- **CI Quality Gate** — GitHub Action that posts context score and secret audit on every PR
+- **VS Code extension** — live score, risk indicators, and context suggestions inline
+- **Learning mode** — CTO improves based on which AI suggestions you accept/reject
+- **More language support** — deeper analysis for Python, Go, and Rust
 - **Your feedback** — [open an issue](https://github.com/cto-ai/cto-ai-cli/issues) or reach out
 
 ---
@@ -241,7 +418,7 @@ git clone <repo-url>
 cd cto
 npm install
 npm run build
-npm test          # 433 tests
+npm test          # 573 tests
 npm run typecheck # strict TypeScript
 ```